This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSL Decryption: Forward Trust unavailable

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Decryption: Forward Trust unavailable

Go to solution
KTarver
L1 Bithead

‎09-16-2024 11:42 AM

Hello,

 

After creating a external CA cert, the Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA are greyed out.  So I can't select.

 

All options are available when a create a self-sign certificate.  

Any idea?

Thanks

0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
Brandon_Wertz
L6 Presenter
In response to KTarver

‎09-18-2024 07:20 AM

@KTarver wrote:

Hi Brandon and thanks for your reply.

 

I am having trouble following you.

 

Purely from a PKI stand point, if the FW has the client's CA in the trusted folder, then there shouldn't be a need for a wildcard.  That is on the decryption side (LAN ingress traffic).

 

But my issue is before getting to that point.

 

From the FW, I created a csr --> processed it with the CA and got a cert --> uploaded the new cert to the fw.  When I do this, 2 issue occur:

1- The csr remain "pending"

2- The newly uploaded cert have all the options (Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA) greyed out.

 

I am trying to understand why the 2 above is happening.

 

Thanks again Brandon

When doing SSL Interception the decryption certificate needs to be a wildcard certificate that can impersonate any domain from any TLD.  If it's not a wildcard certificate then it won't work.  Like @BPry mentioned I'm going to assume you meant your "external CA" was external from the FW, not external from your enterprise.

 

Your internal PKI has a "Root" and some "Intermediate" certificate authority servers.  Those CAs need to be loaded to your FW.  Those CAs need to be loaded in your client machine cert stores.  You need to generate a CSR from the firewall from one of those Intermediate CAs, which will then be signed by your internal PKI as a wildcard certificate.  When they sign the cert and give it back to you, when you upload it you should see it chained and shown in this screenshot:

Root --> ICA (Intermediate CA) --> SSL Cert:

Brandon_Wertz_0-1726668972596.png

 

Brandon_Wertz_1-1726669173782.png

 

 

The specific steps to get this to work can be found here:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0&lang=en_US

View solution in original post

Go to solution
KTarver
L1 Bithead
In response to Brandon_Wertz

‎09-18-2024 12:45 PM

Hi Brandon,

 

Thanks for the information!  That was very useful.  I did what you said and created the wilcard in the CN of the CSR.  That allow me to successfully import the cert created by the CA and the options are now available to select!

 

Thanks Brandon!

View solution in original post

7 REPLIES 7

Go to solution
BPry
Cyber Elite
Cyber Elite

‎09-16-2024 12:07 PM

@KTarver,

Sounds like you don't have the private key. When you say you created an external CA cert, do you mean you generated a self-signed CA on the firewall itself or you created the request to have the certificate created by an external CA (like an enterprise CA)?

0 Likes Likes

Go to solution
Brandon_Wertz
L6 Presenter

‎09-17-2024 08:39 AM

@KTarver wrote:

Hello,

 

After creating a external CA cert, the Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA are greyed out.  So I can't select.

 

All options are available when a create a self-sign certificate.  

Any idea?

Thanks

If you're trying to do SSL Decryption for your internal systems you shouldn't be using an external certificate authority.  You're ultimately going to need a wildcard certificate for everything on the Internet and no external CA is going to give you that.

You're going to either need to have an internal CA that is trusted by all your internal clients or you can create it from the firewall, but again you'd need to have the full firewall CA certs to include the wildcard cert as trusted for your internal clients.  Otherwise the client browsers will throw errors about the interception process.

0 Likes Likes

Go to solution
KTarver
L1 Bithead
In response to Brandon_Wertz

‎09-17-2024 10:07 AM

Hi Brandon and thanks for your reply.

 

I am having trouble following you.

 

Purely from a PKI stand point, if the FW has the client's CA in the trusted folder, then there shouldn't be a need for a wildcard.  That is on the decryption side (LAN ingress traffic).

 

But my issue is before getting to that point.

 

From the FW, I created a csr --> processed it with the CA and got a cert --> uploaded the new cert to the fw.  When I do this, 2 issue occur:

1- The csr remain "pending"

2- The newly uploaded cert have all the options (Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA) greyed out.

 

I am trying to understand why the 2 above is happening.

 

Thanks again Brandon

0 Likes Likes

Go to solution
KTarver
L1 Bithead
In response to BPry

‎09-17-2024 10:10 AM

Hi BPry and thanks for your reply.

 

The later.  

I created a csr via the fw --> processed it through the CA --> uploaded the new cert to the fw.  

Part of the process when creating a csr, is the creation of the private and public key local to the device.  This way the private key stay safe.  So a private key exist.

 

Thanks again BPry!

0 Likes Likes

Go to solution
Brandon_Wertz
L6 Presenter
In response to KTarver

‎09-18-2024 07:20 AM

@KTarver wrote:

Hi Brandon and thanks for your reply.

 

I am having trouble following you.

 

Purely from a PKI stand point, if the FW has the client's CA in the trusted folder, then there shouldn't be a need for a wildcard.  That is on the decryption side (LAN ingress traffic).

 

But my issue is before getting to that point.

 

From the FW, I created a csr --> processed it with the CA and got a cert --> uploaded the new cert to the fw.  When I do this, 2 issue occur:

1- The csr remain "pending"

2- The newly uploaded cert have all the options (Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA) greyed out.

 

I am trying to understand why the 2 above is happening.

 

Thanks again Brandon

When doing SSL Interception the decryption certificate needs to be a wildcard certificate that can impersonate any domain from any TLD.  If it's not a wildcard certificate then it won't work.  Like @BPry mentioned I'm going to assume you meant your "external CA" was external from the FW, not external from your enterprise.

 

Your internal PKI has a "Root" and some "Intermediate" certificate authority servers.  Those CAs need to be loaded to your FW.  Those CAs need to be loaded in your client machine cert stores.  You need to generate a CSR from the firewall from one of those Intermediate CAs, which will then be signed by your internal PKI as a wildcard certificate.  When they sign the cert and give it back to you, when you upload it you should see it chained and shown in this screenshot:

Root --> ICA (Intermediate CA) --> SSL Cert:

Brandon_Wertz_0-1726668972596.png

 

Brandon_Wertz_1-1726669173782.png

 

 

The specific steps to get this to work can be found here:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0&lang=en_US

Go to solution
KTarver
L1 Bithead
In response to Brandon_Wertz

‎09-18-2024 12:45 PM

Hi Brandon,

 

Thanks for the information!  That was very useful.  I did what you said and created the wilcard in the CN of the CSR.  That allow me to successfully import the cert created by the CA and the options are now available to select!

 

Thanks Brandon!

Go to solution
Brandon_Wertz
L6 Presenter
In response to KTarver

‎09-18-2024 01:23 PM

Awesome, glad to help.

0 Likes Likes
  • 2 accepted solutions
  • 534 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks